Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide: Configuring a Certificate Manager for
Previous Next Contents Index Bookshelf


Chapter 22 Configuring a Certificate Manager for Publishing

Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager. This chapter explains how to configure the Certificate Manager to publish to an LDAP directory, a flat file, and an online validation authority.

Before reading this chapter, you should have read the previous chapters in this part. In particular, you should be familiar with the mapper and publisher plug-in modules that are provided for the Certificate Manager. If you are not, see "Modules for Publishing Certificates and CRLs".

The chapter has the following sections:
Publishing Certificates and CRLs to a Directory
If you are using an LDAP-compliant directory, such as Netscape Directory Server, to publish and manage your user and group data, you can configure the Certificate Manager to communicate with this directory. The Certificate Manager can then publish end-entity as well as CA certificates and the certificate revocation list (CRL) to the directory. This way, your publishing directory acts as a common distribution point for information about users and other entities on the network, including each entity's current security credentials.

 Once the Certificate Manager is configured to publish to the directory, the following operations are performed automatically:

 To configure a Certificate Manager to publish certificates and CRLs to a directory, follow these steps:

 Step 1. Plan

Before configuring a Certificate Manager to publish its CA certificate, end-entity certificates, and CRLs to a directory, do this:

Step 2. Set Up the Directory for Publishing

For a Certificate Manager to publish certificates and CRLs to an LDAP directory, the directory needs to be set up to receive certificate- and CRL-related information from the Certificate Manager.

Step A. Verify the Directory Schema

For a Certificate Manager to publish certificates and CRLs to a directory, it must be configured with specific attributes and object classes. This section discusses those basic schema requirements. Is it assumed that you're familiar with directory schema and related terminology. If you're not, check the Directory Server documentation.

Required Schema for Publishing End-Entity Certificates

The Certificate Manager publishes an end entity's certificate to the userCertificate;binary attribute within the end entity's or subject's directory object. This attribute is multivalued; each value is a DER encoded binary X.509 certificate. The LDAP object class named inetOrgPerson allows this attribute. This object class is supported by Netscape Directory Server versions 1.0, 3.x, and 4.x. The mix-in object class named strongAuthenticationUser allows this attribute and can be combined with any other object class to allow certificate publication to that object. Note that the Certificate Manager does not automatically add this object class in the schema table of the corresponding Directory Server while publishing or unpublishing end-entity certificates. If the directory object that it finds does not allow the userCertificate;binary attribute, the addition or removal of that specific certificate fails.

If you have created user entries as inetOrgPerson, the userCertificate;binary attribute already exists in the directory. Otherwise, you must add the userCertificate;binary attribute to your directory schema table. For information on modifying directory schema, check the Directory Server documentation.

 Required Schema for Publishing the CA Certificate

The Certificate Manager publishes its own CA certificate in the caCertificate;binary attribute of the CA's directory object when the server is started; this is the object that corresponds to the Certificate Manager's issuer name. This is a required attribute of the certificationAuthority object class. Note that the Certificate Manager will add this object class to the directory entry for the CA, provided that it finds the CA's directory entry.

Required Schema for Publishing CRLs

The Certificate Manager maintains its list of revoked certificates in its internal database; this list is called the certificate revocation list (CRL). You can configure the server to publish the CRL to the directory whenever it is generated, which could be when a certificate is revoked and at regular intervals. You can also manually trigger the server to generate a CRL and publish it to the directory.

The Certificate Manager publishes the updated CRL to the CA's directory object under this attribute: certificateRevocationList;binary.

 This attribute is an attribute of the object class certificationAuthority. The value of the attribute is the DER encoded binary X.509 certificate revocation list. The CA's entry must already be a certificate authority.

 Step B. Add an Entry for the CA

Complete this step only if you want to manually create an entry for your CA in the directory--that is, you do not want use the automated feature built into the LdapCaSimpleCAMap plug-in module for creating the CA's entry in a directory; see "CA Certificate Mapper".

For the Certificate Manager to publish its CA certificate and CRL, the directory must include an entry for the CA. This section explains how to manually add this entry in Netscape Directory Server 4.x using the Directory Server window (which you can launch from within Netscape Console). To add this entry in Netscape Directory Server 3.x, use its HTML forms-based interface (also called the HTTP gateway).

 When adding the CA's entry to the directory, you need to select the entry type based on the distinguished name of your CA:

 After you select the correct entry type, you need to specify the required information to create the entry. Note that the entry you create doesn't have to be in the certificationAuthority object class. The Certificate Manager will convert this entry to the certificationAuthority object class automatically by publishing its CA's signing certificate (as explained in "Required Schema for Publishing the CA Certificate").

To create an entry for the Certificate Manager in Netscape Directory Server, version 4.x:
  1. Log in to Netscape Console (see "Logging In to Netscape Console").

  2. Locate the Directory Server instance you want the Certificate Manager to use for publishing certificates and CRLs.

  3. Double-click the instance or select the instance and click Open.

    4. This opens the Directory Server window.

  4. Select the Directory tab.
    5.

  5. Select the domain name, right click, select New, and then select Other.

    6. The "New object" window appears.

  6. Select "person" and click OK.
    7.

    The Property Editor - New window appears.

  7. Enter the required information.
    8.

    Full name. Enter the common name (the value of the CN component) of the CA exactly as it appears in the issuer DN; this DN shows up in the CA's signing certificate. For example, if your CA's issuer DN is CN=testCA, OU=Research Dept, O=Siroe Corporation, ST=California, C=US, you should enter testCA in this field.

    Last name. Enter the name again; it must be the same as the one you entered in the "Full name" field.

  8. Keep the default values in the remaining fields, and click OK.

    9. The new entry appears in the Directory tab.

  9. Verify that the entry has been created.
    10.

    1. Double-click Directory Administrators, click Members, and then click Add.
      2.

    2. Search for the user entry you added earlier.

    3. Click OK and again OK.

Step C. Identify an Entry That Has Write Access

When you configure the Certificate Manager to work with Directory Server, you'll be required to specify a distinguished name in the directory that has read-write permissions to the directory. To publish certificates and CRLs to the directory, the Certificate Manager needs to use a user entry (in the directory) that has write access to the directory. This enables the Certificate Manager to bind to the directory as this user and modify the user entries with certificate-related information and the CA entry with CA's certificate and CRL related information.

To provide the Certificate Manager with a user entry that has read-write permission, you can do either of the following:

 For instructions on giving write access to the Certificate Manager's entry, see your LDAP directory documentation. In either case, note the entry DN and the corresponding password as you will be required to identify this user entry to the Certificate Manager later; see "Step 5. Identify the Publishing Directory".

Step D. Verify Entries for End Entities

The publishing directory must contain an entry for each end entity for whom you want a certificate published. If the end entity does not have an entry in the directory, the Certificate Manager will not be able to publish the end entity's certificate.

To add an entry for each end entity, you can use the tools provided with Directory Server. Keep in mind that the end-entity entries must belong to an object class, such as inetOrgPerson, that allows the userCertificate;binary attribute.

 Note If you configured the Certificate Manager to use directory-based authentication for end entities and are using the same directory for authentication and publishing, you may not have to deal with this issue. The server will not issue certificates to end entities that do not have entries in the directory. See "End- Entity Authentication During Certificate Enrollment".

Step E. Specify the Directory Authentication Method

Depending on how you want the Certificate Manager to authenticate to the directory, you must set up Directory Server for one of the following methods of communication:

The instructions that follow explain how to configure Netscape Directory Server 4.x for all of the above methods of communication. If you're using any other directory, refer to the documentation that accompanied that product.

 Publishing With Basic Authentication

To configure Directory Server for basic authentication:

  1. Go to the Directory Server window.
    2.

  2. Select the Configuration tab, and then in the right pane, select the Encryption tab.

  3. Make sure that the Enable SSL box is unchecked. If it's checked, uncheck it.

  4. Click Save.

    5. You are prompted to restart the server. Don't restart the server yet; you can do this after you've made all the configuration changes.

Publishing Over SSL Without Client Authentication

To configure the Directory Server for SSL-enabled communication:

  1. Go to the Directory Server window.
    2.

  2. Select the Configuration tab, and then in the right pane, select the Encryption tab.

  3. Check the Enable SSL box.

  4. In the Cipher Family section, check the RSA box.

  5. Click the Cipher Preferences button and select the appropriate SSL ciphers.

    6. For details on individual ciphers, click the Help button.

  6. In the Client Authentication section, select the "Allow client authentication" option.
    7.

    Be sure not to select the "Require client authentication" option. If you do, Netscape Console will not be able to communicate with the directory.

  7. Click Save.
    8.

    You are be prompted to restart the server. Don't restart the server yet; you can do this after you've made all the configuration changes.

Publishing Over SSL With Client Authentication

For the Certificate Manager to publish to the directory with SSL client authentication, Directory Server must

The steps that follow explain how you can configure Directory Server for all of the above.

 Step 1. Check the Directory Server's Certificate Database

 Before getting an SSL server certificate, determine whether Directory Server already has an SSL server certificate installed in its certificate database and whether you want Directory Server to use the same certificate during the SSL handshake.

 To check the Directory Server's certificate database:
  1. Go to the Directory Server window.
    2.

  2. Select the Tasks tab.

  3. From the Console menu, choose the Manage Certificates option.

    4. The Certificate Management dialog box appears showing a list of all the certificates installed for Directory Server.

  4. Scroll through the list to see if it contains the SSL server certificate that you want to use.
    5.

Step 2. Generate an SSL Server Certificate Request for Directory Server

 The steps below explain in general how to generate a certificate signing request (CSR) using the Certificate Setup Wizard, which is built into the Directory Server window available within Netscape Console. For detailed instructions on each step of the wizard, you should read the on-screen instructions and view the online help by clicking the Help button.

 In the first step of generating the CSR, you will be asked to specify whether the certificate is for a new key pair or an exiting key pair and the method for submitting the CSR to the CA.

 To generate a certificate request:
  1. In the Directory Server window, select the Tasks tab, and then click the Certificate Setup Wizard button.
    2.

  2. Select the token for generating the key pair (and for storing the certificate). Since you don't have the certificate, select No.

    3. If you're generating the certificate for the first time, the wizard informs you that it needs to create a trust database (cert7.db and key3.db files) for Directory Server.

  3. When prompted for the password, enter the password.
    4.

    Remember this password because you will be required to supply it when starting Directory Server from now on.

    Once the trust database is generated, the wizard steps for generating the CSR begin.

  4. You are asked to specify whether the certificate is for a new key pair or an existing key pair and the method for submitting the CSR to the CA.

    5. The choices for submitting the CSR to the CA include the following:

    To CA's email address. Select this if you want to send the CSR to the CA administrator's email address. Type the administrator's email address (for example, jdoe@siroe.com) in the adjoining field. The administrator will then be required to submit the request to the CA by pasting the CSR in the CA's server enrollment form.

    To CA's URL. Select this if you want to submit the CSR to the Certificate Manager directly. Depending on the end-entity port that's enabled, type either of the following URL:

    http://<CA's_host_name>:<end_entity_port>/enrollment

    or

    https://<CA's_host_name>:<end_entity_SSL_port>/enrollment

    Note that the request submitted to the CA's URL gets queued for approval by the Certificate Manager agent.

  5. When the wizard displays the CSR, if you are running the wizard on a Windows NT system, copy the CSR (displayed in its base-64 encoded format) to a text file. The information you copied should look similar to the sample shown below. Do not make any changes to it. (As indicated in the message, a copy of this information is also saved to the /temp file in the host machine's file system.)
    6.

    -----BEGIN NEW CERTIFICATE REQUEST-----

    MMIIBnzCCAQgCAQAwXzELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1JOSUExHTAbBgNVBAo
    pME5ldHNjYXBlIENvbW0uIENvcnAuMRwwGgYDVQQDExNzdXByaXlhLW50Lm1jb20uY29tMIGfMA0G
    CSGSIb3DQEBAQUAA4GNADCBiQKBgQCk49jBib3SZQqTt5YtIGugnVOq38Y1CcB9xowCsapR+DIow8
    MUVWGRUT38mcX0lfpNT4hzW1aePiHersIMZFLxRgel0kEtJ0ClWfNQKzrnOfpL1H3CjcLjSM5hWaF
    t0M5hfZEtPk+XBsMbu3dCtbRacxs0M2I0AVkf+kp24ePvqD8QIDAQABoAAwDQYJKoZIhvcNAQEE
    BQADYEAdE0hZFHK6fAonMnHmNz46M96qqgtjwO3R9alt1l+0YWKslCjf+ThG38adNw1aH0qioW7yl
    THJhpHF48M3SmmTqR7S3yKg+3ECLWbMYmUmd2wNTxsIdD4r8ySByxMIncVSvCjFOHJnifZCUqr+0N
    ukZnqhDWqy0vqrGW71akstyyttdtttyyy790bfgfiwrytdnbjdgnhffnb0hgjyu08o=po=9=

    -----END NEW CERTIFICATE REQUEST-----

Step 3. Submit the Request to a CA and Get the SSL Server Certificate

 If you decided to submit the certificate request to an external CA, you need to go to that CA's enrollment area and use the form provided for requesting SSL server certificates. After you submit the request, hold on to the confirmation message until you receive the certificate. When the CA sends the certificate to you, complete the remaining configuration, starting from "Step 6. Install the Certificate in the Directory Server's Certificate Database".

The instructions in this step explain how to request the SSL server certificate from the Certificate Manager manually. You should complete this step if you didn't use the auto-submit feature of the wizard to directly send the CSR to the Certificate Manager's URL.

 To submit the request to the Certificate Manager manually:
  1. Open a web browser window.
    2.

  2. Go to the end-entity interface of the Certificate Manager (or to the Registration Manager that's connected to the Certificate Manager).

  3. In the left frame, under Server, click SSL Server.

  4. In the server enrollment form that appears, enter the required information:

    5. PKCS#10 Request. Paste the base-64 encoded blob, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines, you copied to the text file earlier.

    Name. Type your name.

    Email. Type your business email address, for example, jdoe@siroe.com.

    Phone. Type your business phone number.

    Additional Comments. Type any information that will help you identify this request in the future or will help the person who will process this request.

  5. Click Submit.

Step 4. Approve the Request You Submitted

 Skip to the next step if you submitted the CSR to an external CA. Complete this step if you submitted the CSR to the Certificate Manager.

 To access the agent queue and approve the SSL server certificate request you submitted:
  1. In the browser window, go to the Certificate Manager Agent Services interface. (If you submitted the request to a Registration Manager, go its agent interface.)
    2.

  2. In the left frame, select List Requests. In the form that appears, select the "Show pending request" option and click Find.

  3. In the request queue, locate the request you submitted and click Details.

  4. Verify the information and click Do It.

    5. If your request contained all the required information, the server issues a certificate and you should see a message indicating so.

  5. Click Show Certificate.
    6.

    The complete details about the certificate appear. Don't close the page; in the next step, you'll need to copy the certificate from this page.

Step 5. Copy the SSL Server Certificate

 You must go through this step, irrespective of whether you submitted the CSR to the Certificate Manager or to an external CA.

 To install the certificate in the Directory Server's database, you need to have a copy of the certificate in its base 64-encoded format:

 The steps below explain how to copy the base 64-encoded blob of the certificate from the confirmation page that you received from the Certificate Manager:
  1. In the page that shows the certificate details, scroll down to the section that says "Installing this certificate in a server".
    2.

  2. Copy the base-64 encoded certificate, including the ----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to a text file or to the clipboard; be sure not to make any changes to the text blob. An example of the information you should copy is shown below:

    3. -----BEGIN CERTIFICATE-----

    MMIICVDCCAf6gAwIBAgIBDDANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzELMAkGA1UECBM
    Q0M0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxETAPBgNVBAoTCE5ldHNjYXBlMRUwEwYDVQQLEwx
    TZW1cml0eVB1YnMxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNOTkwNzA5MjIxNjQ5W
    hcMDAwNzA4MjIxNjQ5WjCQYDVQQGEwJVczETMBEGA1UECBMKQ0FMSUZPUk5JQTEdMBsGA1UEChMUT
    m0c2NhcGUgQ29tbS4gQ29ycC4xHDAaBgNVBAMTE3N1cHJpeWEtbnQubWNvbS5jb20nbh4++oPxAgM
    AAGjRjBEMBEGCWCGSAGG+EIBAQQEAwIGQDAOBgNVHQ8BAf8EBAMCBPAwHwYDVR0jBBgFoAUXuCIMl
    07LCdanaxlek5DlpU4cxLgwDQYJKoZIhvcNAQEEBQADQQCagJsZwKG2usqiQ+bmZ0TJb44XhXDLRY
    1GkbXtNLLf5acA1iBvi0cbEG5UsZk5zdB5zSDDe7Tuk9HrbyQrtQ6F

    -----END CERTIFICATE-----

Step 6. Install the Certificate in the Directory Server's Certificate Database

 You must go through this step, irrespective of whether you requested the certificate from the Certificate Manager or from an external CA.

 To install the SSL server certificate in the Directory Server's certificate database:
  1. Go to the Directory Server window.
    2.

  2. Start the Certificate Setup Wizard.

  3. In the first step that the wizard displays, select the "Install Certificate for This Server" option.

  4. In the second step, select the "The certificate is located in the following text field" option and paste the certificate blob, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, you copied earlier.

  5. Follow the prompts and add the certificate to the certificate database.

Step 7. Copy the CA Chain

 You must go through this step, irrespective of whether you requested the certificate from the Certificate Manager or from an external CA.

 The steps in this section explain how to copy the CA chain, if you requested the SSL server certificate from a Certificate Manager. If you got the certificate from an external CA, make sure that the CA's chain exists in certificate database of Directory Server; otherwise, go to the CA site and copy the chain.
  1. Go to the end-entity interface of the Certificate Manager (or to the Registration Manager that's connected to the Certificate Manager).
    2.

  2. Click the Retrieval tab.

  3. In the left frame, click Import CA Certificate Chain.

  4. In the form that appears, select the "Display the CA certificate chain in PKCS#7 for importing into a server" option, and click Submit.

    5. The CA certificate chain appears.

  5. Copy the base-64 encoded certificate blob, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to a text file or the clipboard.
    6.

Step 8. Install the CA Chain in the Directory Server as a Trusted CA

 To install the CA chain:
  1. Go to the Directory Server window.
    2.

  2. Start the Certificate Setup Wizard.

  3. Select the option to install a certificate for a trusted certificate authority.

  4. Select the "The certificate is located in the following text field" option and paste the certificate blob, including the -----BEGIN CERTIFICATE---- and -----END CERTIFICATE----- marker lines, you copied earlier.

  5. Follow the prompts and add the CA certificate chain to the certificate database of Directory Server.

Step 9. Confirm that the New Certificates are Installed

 To verify that the certificates are installed in the certificate database of Directory Server:
  1. In the Directory Server window, select the Tasks tab.
    2.

  2. From the Console menu, select Manage Certificates.

    3. The Certificate Management dialog box appears showing a list of certificates installed for Directory Server.

  3. Scroll through the list. You should find the certificates you installed. If you find the certificates, your server is ready for SSL activation.
    4.

Step 10. Verify the Port Number

 Before turning on SSL-enabled communication for Directory Server, you must verify that the configured port number can be used for this purpose. If not, you must change the port number to a valid one.

 To modify the port (for a secure port) on which the Directory Server listens for incoming requests:
  1. In the Directory Server window, select the Configuration tab, and then in the navigation tree, select the root (the topmost) item.
    2.

  2. Select the Settings tab in the right pane.

    3. Port. Type the port number you want the server to use for non-SSL communication. The default port number is 389.

    Encrypted Port. Type the port number you want the server to use for SSL-enabled communication. The default secure port number is 636. The encrypted port number that you specify must not be the same as one you specified in the Port field.

  3. Click Save.

    4. You are be prompted to restart the server. Don't restart the server yet; you can restart it after you've made all the changes.

    Be aware that changing the Directory Server port number requires you to change the corresponding port number in all other servers that communicate with the directory. For example, if you have other Netscape Servers installed that point to the directory, you need to update those server configurations to use the new port number. For details, see Managing Servers with Netscape Console (to locate this document, see <server_root>/manual/index.html).

Step 11. Turn on SSL-Enabled Communication

 To turn on SSL-enabled communication in Directory Server:
  1. In the Directory Server window, select the Configuration tab, and then in the right pane, select the Encryption tab.
    2.

  2. Check the Enable SSL box.

  3. In the Cipher Family section, check the RSA box.

  4. Click the Cipher Preferences button and select the appropriate SSL ciphers.

    5. For details on individual ciphers, click the Help button.

  5. In the Token drop-down list, select the token that contains the key pair for the certificate you installed (or for the certificate you want the server to use).
    6.

  6. Select the certificate you want the server to use during SSL-enabled communication with the Certificate Manager.

  7. In the Client Authentication section, select the appropriate option:

    8. Do not allow client authentication. Select this if you want to configure the directory for basic authentication or for SSL-based communication without client authentication.

    Allow client authentication. Select this if you want to configure the directory for SSL client authenticated communication.

    Require client authentication. Don't select this option. If you do, Netscape Console will not be able to communicate with Directory Server. This is because Netscape Console does not support client-authenticated communication yet. For example, if you're using the same directory for user data and configuration information of other Netscape servers and if you configure Directory Server to require client authentication, you will no longer be able to manage your Netscape servers from Netscape Console; instead, you will be required to use the command-line tools.

  8. Click Save.

    9. You are prompted to restart the server. Don't restart the server yet; you can restart it after you've made all the required changes.

Step F. Modify the Certificate Mapping File

This step explains how to modify the certmap.conf file to add a certificate mapping rule for the CA's entry you created. You need to go through this step only if you configured the directory for SSL client authenticated communication. Otherwise, skip to "Step G. Restart Directory Server".

When the Certificate Manager presents its certificate for SSL client authentication, Directory Server uses the mapping rule specified in the certmap.conf file to locate the corresponding entry in the directory and then determine the access privileges set for the entry. The certificate mapping file is located in the <server_root>/shared/config directory, where <server_root> is the directory in which the Directory Server binaries are installed.

 The certmap.conf file specifies the following:

 The file contains one or more named mappings, each applying to a different CA. A mapping has the following syntax:

 
certmap <name> <issuerDN>


<name>:<property1> [<value1>]


<name>:<property2> [<value2]


...


<name>:<propertyn> [<valuen]

The first line specifies a name for the entry and the DN of the issuer of the client certificate--in this case, the issuer of the certificate the Certificate Manager will present during client authentication. (By default, the Certificate Manager uses its SSL server certificate generated during installation.) The name is arbitrary; you can define it to be whatever you want. However, the issuer DN must exactly match the issuer DN of the CA that has issued the certificate the Certificate Manager will use for client authentication. For example, the following two issuer DN lines differ only in the number of spaces separating the attribute value assertions (AVAs), but the Directory Server will treat these two entries as different:

certmap moz CN=myCA,OU=myDept,O=myCompany,C=US

 certmap moz CN=myCA,OU=myDept,O=myCompany, C=US

 The second and subsequent lines in the named mapping match properties with values. The certmap.conf file has six default properties, but the ones that should be of use to you are explained below. For in depth detail about the certmap.conf file, see Managing Servers with Netscape Console (open the <server_root>/manual/index.html file to locate this document).

 The following two examples illustrate two different ways you can use the certmap.conf file.

 


certmap default default

default:dnComps

default:filterComps E, UID



certmap MyCA CN=CA,OU=MyGroup,O=MyCompany,C=US

MyCA:dnComps OU,O,C

MyCA:filterComps E

MyCA:verifycert on
This file has two mappings: a default one and another for MyCA. When the Directory Server gets a certificate from anyone other than MyCA, the server uses the default mapping, which starts at the top of the LDAP tree and searches for an entry matching the client's email address and user ID. If the certificate is from MyCA, the server starts its search at the LDAP branch containing the organizational unit and searches for matching email addresses. Also note that if the certificate is from MyCA, the server verifies the certificate with the one stored for the entry in the directory; other certificates are not verified. Note that the issuer DN in the certificate must be identical to the issuer DN listed in the first line of the mapping. Even an extra space after a comma will cause a mismatch.

 To modify the certmap.conf file:
  1. In the Directory Server host machine, go to this directory:
    <server_root>/shared/config
    2.

  2. Open the certmap.conf file in a text editor.

  3. Follow the instructions in the file and add the mapping information for the entry you added.

    4. The figure above shows the following mapping rule being added to the file:

    certmap myCA CN=rootCA, O=siroe.com

    #myCA:DNComps

    myCA:FilterComps

    This mapping rule specifies that if the name of the CA that signed the certificate used for SSL client authentication by the Certificate Manager is myCA and that the issuer name or DN of the CA is CN=rootCA, O=siroe.com, the server should use the FilterComps attributes to locate the entry.

    If you determine that the certmap.conf file needs an empty DNComps mapping (because your certificate subject name has no overlap with the corresponding directory DN), you may need to modify the default base DN in Directory Server by adding the following to the Directory Server configuration file:

    dn: cn=config

    changetype: modify

    replace: nsslapd-certmap-basedn

    nsslapd-certmap-basedn: dc=siroe, dc=com

  4. Save your changes, and close the file.
    5.

Step G. Restart Directory Server

For all your changes to take effect, you must restart Directory Server.

Step 3. Configure the Certificate Manager to Publish Certificates

This section explains how to specify certificate mapping and publishing rules the Certificate Manager should use to publish certificates to the correct entries in the directory.

Step A. Modify the Default Mappers, Publishers, and Publishing Rules

Complete this step if you decided to use any of the default mappers, publishers, and publishing rules created during installation. If you want to create new mappers, publishers, and publishing rules, skip to the next step, "Step B. Add Mappers, Publishers, and Publishing Rules".

During installation, the Certificate Manager automatically creates a set of mappers that you would most likely want to use. The names of the default mappers are as follows:

 Similar to mappers, the Certificate Manager also creates a set of publishers for your convenience. The names of the default publishers are as follows:

 The Certificate Manager also creates a set of publishing rules using the default mappers and publishers. The names of these rules are as follows:

 It is important that you review each of the default mappers, publishers, and publishing rules and modify them as suitable. The instructions below explain how to modify the default mappers, publishers, and publishing rules.

 Step A.1. Modify the Default Mappers

You can modify a mapper by editing its configuration parameter values; you cannot change the name of a mapper. To change the name of a mapper, you need to create a new mapper exactly like the mapper you want to rename, except with a new name, and delete the old mapper.

To modify a mapper:
  1. Log in to the CMS window for the Certificate Manager (see "Logging In to the CMS Window").

  2. Select the Configuration tab.

  3. In the navigation tree, select Publishing, and then select Mappers.

    4. The right pane shows the Mappers Management tab, which lists configured mappers.

  4. In the Mapper list, select a mapper that you want to modify.
    5.

    For the purposes of completing this instruction, assume that you selected the mapper named LdapUserCertMap.

  5. Click Edit/View.
    6.

    The Mapper Editor window appears, showing how this mapper is configured. An example is shown below.

  6. Make the necessary changes and click OK.
    7.

    You are returned to the Mappers Management tab.

  7. To modify the remaining mappers, repeat steps 4 through 6.
    8.

  8. Click Refresh to see the update status of all the mappers.

Step A.2. Modify the Default Publishers

Modifying a publisher involves changing its configuration parameter values; you cannot change the name of a publisher. To change the name of a publisher, create a new publisher using the same publisher plug-in module with the same parameter values, and delete the old one.

To modify a publisher:
  1. In the navigation tree, select Publishing, and then select Publishers.
    2.

    The right pane shows the Publishers Management tab, which lists configured publishers.

  2. In the Publisher list, select a publisher that you want to modify.
    3.

    For the purposes of this instruction, assume that you selected the publisher named LdapUserCertPublisher.

  3. Click Edit/View.
    4.

    The Publisher Editor window appears, showing how this publisher is currently configured.

  4. Make the necessary changes and click OK.
    5.

    You are returned to the Publishers Management tab.

  5. To modify the remaining publishers, repeat steps 2 through 4.
    6.

  6. Click Refresh to see the update status of all the publishers.

Step A.3. Modify the Default Publishing Rules

Modifying a publishing rule involves changing its configuration parameter values; you cannot change the name of a publishing rule. To change the name of a publishing rule, create a new rule with the same parameter values, and delete the old one.

To modify a publishing rule:
  1. In the navigation tree, select Publishing, and then select Rules.
    2.

    The right pane shows the Rules Management tab, which lists configured publishing rules.

  2. In the Rule list, select a publishing rule that you want to modify.
    3.

    For the purposes of this instruction, assume that you selected the rule named LdapUserCertRule.

  3. Click Edit/View.
    4.

    The Rule Editor window appears, showing how the rule is currently configured.

  4. Make the necessary changes and click OK.
    5.

    You are returned to the Rules Management tab.

  5. To modify the remaining rules, repeat steps 2 through 4.
    6.

  6. Click Refresh to see the update status of all the rules.

Step B. Add Mappers, Publishers, and Publishing Rules

Complete this step if you need to create new mappers, publishers, or publishing rules. For example, if you already configured the Certificate Manager for publishing all types of certificates in "Step A. Modify the Default Mappers, Publishers, and Publishing Rules", you can skip to the next step, "Step A. Specify CRL Details".

The instructions that follow cover how to add new mappers, publishers, and publishing rules for a CA certificate and for end-entity certificates. Creating of new mappers, publishers, and publishing rules for CRLs is covered in "Step 4. Configure the Certificate Manager to Publish CRLs".

Follow the steps that's appropriate for you:

 Step B.1. Create a Mapper for the CA Certificate

Creating a mapper for the CA certificate involves creating an instance of the mapper module that enables the Certificate Manager to locate the CA's entry in the directory; for a list of modules, see "Overview of Mapper Modules". Later, when creating the LDAP publishing rule for the CA certificate, you specify the mapper you create here.

To create a mapper:
  1. In the navigation tree of the CMS window, under Publishing, select Mappers.
    2.

    The right pane shows the Mappers Management tab, which lists configured mappers.

  2. Click Add.
    3.

    The Select Mapper Plugin Implementation window appears. It lists registered mapper modules.

  3. Select a module.
    4.

    The following choices are the ones provided by default with the Certificate Manager for mapping a CA's certificate to the CA's directory entry. (If you have registered any custom mapper modules, they too will be available here for selection.)

    LdapDNCompsMap. Select this if you want the server to locate the CA's entry by formulating the entry's distinguished name from components in the certificate subject name and using it as the search DN. For details, see "DN Components Mapper".

    LdapDNExactMap. Select this if you want the server to locate the CA's entry by searching for its certificate subject name. For details, see "Subject Name Mapper".

    LdapSimpleMap. Select this if you want the server to locate the CA's entry by formulating the entry's DN from components specified in the certificate subject name and attribute variable assertion (AVA) constants. For details, see "Simple Mapper".

    LdapSubjAttrMap. Select this if you want the server to locate the CA's entry by searching for an LDAP attribute whose value matches the certificate subject name. For details, see "Subject Attribute Mapper".

    For the purposes of this instruction, assume that you selected LdapDNCompsMapper.

  4. Click Next.
    5.

    The Mapper Editor window appears.

  5. Enter the appropriate information:
    6.

    Mapper ID. Type a unique name for the mapper that will help you identify it; use an alphanumeric string with no spaces.

    baseDN. Type the DN from which the server should start searching for the CA's entry in the directory. If you leave the next field, dnComps, blank, the server uses the base DN value to start its search in the directory. For example, O=siroe.com.

    dnComps. Type DN components (attributes) separated by commas, that you want the server to use to locate an LDAP entry that match the CA's information. The server gathers values for these attributes from the CA certificate subject name and uses the values to form an LDAP DN, which then determines where in the LDAP directory the server starts its search. For example, if the subject name of your CA's certificate is
    CN=testCA, O=siroe.com, C=US, and you set dnComps to use the O and C attributes of the DN, the server starts the search from the O=siroe.com, C=US entry in the directory.

    If you leave the dnComps field empty, the server checks the value in the baseDN field and searches the directory tree specified by that DN. The server searches the entire LDAP tree for entries matching the filter specified by filterComps parameter values.

    filterComps. Type components the server should use to filter entries that result from the search. The server uses the filterComps values to form an LDAP search filter for the subtree. The server constructs the filter by gathering values for these attributes from the certificate subject name; it uses the filter to search for and match entries in the LDAP directory.

    If you need additional details about any of these parameters, click the Help button.

  6. Click OK.
    7.

    The Mappers Management tab appears, listing the new mapper.

Step B.2. Create a Mapper for End-Entity Certificates

Creating a mapper for end-entity certificates involves creating an instance of the mapper module that enables the Certificate Manager to locate the correct end-entity entry in the directory; for a list of modules, see "Overview of Mapper Modules". Later, when creating the publishing rule for end-entity certificates, you specify the mapper you create here.

To create a mapper for end-entity certificates, follow the procedure in Step B.1, above. Unlike the CA certificate mapper configuration, keep this mapper's configuration generic so that the Certificate Manager is able to locate any end-entity entry in the directory.

 Step B.3. Create a Publisher for the CA Certificate

Creating a publisher for the CA certificate involves creating an instance of the publisher module that enables the Certificate Manager to publish the CA certificate to the correct attribute in the CA's directory entry; for a list of modules, see "Overview of Publisher Modules". Later, when creating the LDAP publishing rule for the CA certificate, you specify the publisher you create here.

To create a publisher:
  1. In the navigation tree of the CMS window, under Publishing, select Publishers.
    2.

    The right pane shows the Publishers Management tab, which lists configured publishers.

  2. Click Add.
    3.

    The Select Publisher Plugin Implementation window appears. It lists registered publisher modules.

  3. Select the module named LdapCaCertPublisher.
    4.

    As explained in "CA Certificate Publisher", only this module publishes the CA certificate to caCertificate;binary attribute in the CA's directory entry. (If you have registered any custom publisher modules, they too will be available here for selection.)

  4. Click Next.
    5.

    The Publisher Editor window appears.

  5. Enter the appropriate information:
    6.

    Publisher ID. Type a unique name for the publisher that will help you identify it later; be sure to use an alphanumeric string with no spaces.

    caCertAttr. The field shows caCertificate;binary, the directory attribute to publish the CA certificate. Leave it as it is. If the field is empty, type caCertificate;binary.

    caObjectClass. The field shows certificationAuthority, the object class for the CA's entry in the directory. Leave it as it is. If the field is empty, type certificationAuthority.

  6. Click OK.

    7. The Publishers Management tab appears, listing the new publisher.

Step B.4. Create a Publisher for End-Entity Certificates

Creating a publisher for end-entity certificates involves creating an instance of a publisher module that enables the Certificate Manager to publish an end-entity certificate to the correct attribute in the end entity's directory entry; for a list of modules, see "Overview of Publisher Modules"Later, when creating publishing rules for end-entity certificates, you specify the publisher you create here.

To create a publisher for end-entity certificates, complete the procedure in Step B.3 above. When selecting the publisher module, be sure to choose the module named LdapUserCertPublisher as this is the only module that allows publishing to the userCertificate;binary attribute of a mapped-directory entry.

 Step B.5. Create a Publishing Rule for the CA Certificate

Creating a publishing rule for the CA certificate involves creating a rule that uses the mapper and publisher that you created for the CA certificate in the previous steps.

To create a publishing rule:
  1. In the navigation tree, under Publishing, select Rules.
    2.

    The right pane shows the Rules Management tab, which lists configured publishing rules.

  2. Click Add.
    3.

    The Select Rule Plugin Implementation window appears. It lists registered modules that enable creating of publishing rules.

  3. Select the module named Rule.
    4.

    This is the default module. (If you have registered any custom modules, they too will be available for selection.)

  4. Click Next.
    5.

    The Rule Editor window appears.

  5. Enter the appropriate information:
    6.

    Rule ID. Type a unique name for the rule; use an alphanumeric string with no spaces.

    enable. Select this option.

    predicate. Type HTTP_PARAMS.certType==ca, indicating that the rule be applied to the CA certificate only. (For information on predicates, see "Using Predicates in Policy Rules".)

    type. Select cacert.

    mapper. Select the mapper you added for locating the CA's entry in the directory.

    publisher. Select the publisher you added for publishing the CA's certificate to the directory.

  6. Click OK.

    7. The Rules Management tab appears, listing the new rule.

Step B.6. Create Publishing Rules for End-Entity Certificates

Creating a publishing rule for end-entity certificates involves creating a rule for publishing each type of end-entity certificates the Certificate Manager will issue:

You need to create a rule for each type of certificate using the mapper and publisher that you created for end-entity certificates.

 To create a publishing rule:
  1. In the navigation tree, under Publishing, select Rules.
    2.

    The right pane shows the Rules Management tab, which lists configured publishing rules.

  2. Click Add.
    3.

    The Select Rule Plugin Implementation window appears. It lists registered modules that enable creating of publishing rules.

  3. Select the module named Rule.
    4.

    This is the default module. (If you have registered any custom modules, they too will be available for selection.)

  4. Click Next.
    5.

    The Rule Editor window appears.

  5. Enter the appropriate information:
    6.

    Rule ID. Type a name for the rule; use an alphanumeric string with no spaces.

    enable. Select this option.

    predicate. Type HTTP_PARAMS.certType==client, indicating that the rule be applied to client certificates only (see Table 22.1).

    type. Select certs.

    mapper. Select the mapper you added for locating end-entity entries in the directory.

    publisher. Select the publisher you added for publishing end-entity certificates (to the userCertificate;binary attribute of an end-entity entry in the directory).

  6. Click OK.

    7. The Rules Management tab appears, listing the new rule you just created for publishing end users' client certificates.

  7. Repeat steps 1 through 6 for each type of end-entity certificate the Certificate Manager will issue. Use Table 22.1 for filling in the correct values in the type and predicate fields. (For information on predicates, see "Using Predicates in Policy Rules".)

Table 22.1 Certificate type and predicate expression

End-entity certificate type
"type" field value
"predicate" field value
SSL client certificate
certs
HTTP_PARAMS.certType==client
SSL server certificate
certs
HTTP_PARAMS.certType==server
Object signing certificate
certs
HTTP_PARAMS.certType==objSignClient
Certificate Manager signing certificate (subordinate CA)
cacert
HTTP_PARAMS.certType==ca
Registration Manager signing certificate
certs
HTTP_PARAMS.certType==ra
OCSP responder certificate
certs
HTTP_PARAMS.certType==ocspResponder
Router certificate
certs
HTTP_PARAMS.certType==CEP-Router

Step 4. Configure the Certificate Manager to Publish CRLs

If you don't want the Certificate Manager to publish CRLs to the directory, skip to "Step 5. Identify the Publishing Directory".

You can configure the Certificate Manager to publish CRLs to the directory that is currently configured for publishing the CA and end-entity certificates. A configured Certificate Manager will publish the CRL to the CA's entry in the specified directory, replacing the old CRL with the new one; the old CRL is not saved. The Certificate Manager connects to the directory using the base DN and password that you will specify in "Step 5. Identify the Publishing Directory".

To configure a Certificate Manager to publish CRLs to the directory, follow these steps:

 Step A. Specify CRL Details

You can specify information, such as the publishing interval, the CRL version (whether to include CRL extensions), and the signing algorithm the Certificate Manager should use for signing the CRL object.

To specify CRL details:
  1. In the navigation tree of the CMS window, select Certificate Manager, and then in the right pane, select the Revocation List tab.

  2. In the Update Frequency section, specify the interval for publishing the CRL to the directory:

    3. Every time a certificate is revoked, or taken off-hold. Select this option if you want the Certificate Manager to generate the CRL every time it revokes a certificate. Keep in mind that the Certificate Manager attempts to publish the CRL to the configured directory whenever the CRL is generated, in this case, every time a certificate is revoked. Publishing a CRL can be time consuming if the CRL is large. Configuring the Certificate Manager to publish CRLs every time a certificate is revoked may engage the server for a considerable amount of time; during this time, the server will not be able to service any requests it receives and will not be able to update the directory with any changes it receives.

    Update at this frequency. Select this option if you want the Certificate Manager to generate CRLs at regular intervals. In this case, the server publishes the CRL to the configured directory at the interval you specify.

    In the adjoining text field, type the interval, in minutes, at which the Certificate Manager should publish CRLs. For example, if you want the server to publish CRLs every day, you should type 1440 in this field.

    with a skew of. If you configure the server to update the CRL automatically every time period, the server by default adds a 5 second skew to the next update time to allow time to create the CRL and publish it. For example, if you configure the server to update the CRL every 20 minutes, and if the CRL is updated at 16:00:00, the CRL will be updated again at 16:19:55. You can configure the skew by changing the default value, which is specified in seconds.

  3. In the CRL Format section, specify the format for publishing the CRL:

    4. Include expired certificates. Check this box if you want the server to include revoked certificates that have expired in the CRL.

    Allow extensions. Check this box if you want to allow extensions in the CRL. If you enable this option, the server generates and publishes CRLs conforming to X.509 version 2 standard. If you disable this option, the server generates and publishes CRLs conforming to X.509 version 1 standard. By default, the server publishes version 1 CRLs. If you enable this option, be sure to set the required CRL extensions as described in "Step B. Set the CRL Extensions".

    Revocation list signing algorithm. Select the algorithm the server should use to sign the CRL. If the Certificate Manager's signing key type is RSA, select MD2 with RSA, MD5 with RSA, or SHA-1 with RSA. If the Certificate Manager's signing key type is DSA, select SHA-1 with DSA.

  4. To save your changes, click Save.

    5. If the changes you made require you to restart the server, you are prompted accordingly. However, don't restart the server yet; you can restart it after you've made all the required changes.

Step B. Set the CRL Extensions

Complete this step only if you configured the Certificate Manager to publish version 2 CRLs--that is, you selected the "Allow extensions" option in "Step A. Specify CRL Details".

During installation, the Certificate Manager creates default CRL extension rules; these are listed in Table 21.10. Note that the server is configured to add the CRL Reason extension only; all the other rules are in the disabled state. In this step, you modify the default CRL extension rules to add the required CRL extensions.

To specify the CRL extensions the Certificate Manager should set:
  1. In the navigation tree, under Certificate Manager, select CRL Extensions.
    2.

    The right pane shows the CRL Extensions Management tab, which lists configured extensions.

  2. To modify a rule, select it and then click Edit/View.
    3.

  3. Change the information as appropriate.

    4. Be sure to supply all the required values. Click the Help button for detailed information on individual parameters.

  4. Click OK.
    5.

    You are returned to the CRL Extensions Management tab.

  5. To modify other rules, repeat steps 2 through 4.
    6.

  6. Click Refresh to see the updated status of all the rules.

Step C. Create a Mapper for the CRL

The Certificate Manager publishes the CRL to the certificateRevocationList;binary attribute of the CA's directory entry. (See "Required Schema for Publishing CRLs")

Since you already created a mapper for locating the CA's entry (either in "Step A. Modify the Default Mappers, Publishers, and Publishing Rules" or in "Step B.1. Create a Mapper for the CA Certificate"), you can configure the Certificate Manager to use that mapper to locate the CA's entry for publishing the CRL; you don't need to create another mapper for publishing CRLs.

Step D. Create a Publisher for the CRL

Creating a publisher for the CRL involves creating an instance of the publisher module that enables the Certificate Manager to publish the CRL to the correct attribute in the CA's directory entry. In the next step, described in "Step E. Create a Publishing Rule for the CRL", you specify the publisher you create here.

To create a publisher for the CRL:
  1. In the navigation tree, click Publishers.
    2.

    The right pane shows the Publishers Management tab, which lists configured publisher instances.

  2. Click Add.
    3.

    The Select Publisher Plugin Implementation window appears. It lists registered publisher modules.

  3. Select the module named LdapCrlPublisher.
    4.

    Only this publisher module enables the Certificate Manager to publish the CRL to the certificateRevocationList;binary attribute of the CA's directory entry; for details, see "CRL Publisher". (If you have registered any custom publisher modules, they too will be available for selection.)

  4. Click Next.
    5.

    The Publisher Editor window appears.

  5. Enter the appropriate information:
    6.

    Publisher ID. Type a name for the rule; use an alphanumeric string with no spaces.

    crlAttr. Make sure this field shows the directory attribute to publish the CRL, certificateRevocationList;binary. If necessary, type it in.

  6. Click OK.

    7. The Publishers Management tab appears, listing the new publisher.

Step E. Create a Publishing Rule for the CRL

Creating a publishing rule for the CRL involves creating a rule that uses the mapper and publisher instances that you created in the previous steps. To create a publishing rule:

  1. In the navigation tree, click Rules.
    2.

    The right pane shows the Rules Management tab, which lists any currently configured publishing rules.

  2. Click Add.
    3.

    The Select Rule Plugin Implementation window appears. It lists registered modules that enable creating of publishing rules.